What Happened in the Drug and Alcohol Treatment Services Data Breach?
Drug and Alcohol Treatment Services, Inc. (DATS), a Scranton, Pennsylvania-based provider of addiction treatment programs, suffered a ransomware attack that led to the theft of sensitive patient and employee data. The Drug and Alcohol Treatment Services data breach began when an unauthorized third party gained access to the organization’s computer network. As a result, thousands of patients and staff members had their personal and health information exposed.
According to the investigation, unauthorized access to the DATS network occurred between October 5 and October 6, 2024. DATS identified the intrusion on October 6, 2024. The Interlock ransomware group later claimed responsibility for the attack, stating that it stole approximately 150 GB of data. Because DATS did not pay the ransom demand, the attackers published the stolen files on their dark web leak site.
DATS confirmed the breach internally on December 5, 2024. However, notification letters were not sent to affected individuals until May 2, 2025, nearly seven months after the intrusion was first detected. This delay became a central issue in the litigation that followed. A forensic investigation into the incident confirmed which categories of data had been accessed and stolen during the attack window.
In response to the breach, eight separate class action lawsuits were filed against DATS. These cases were later consolidated into a single complaint in the Court of Common Pleas of Lackawanna County, Pennsylvania. The consolidated litigation resulted in a proposed settlement, which the company agreed to in order to resolve the claims without further litigation.
Who was affected?
The Drug and Alcohol Treatment Services data breach affected both patients and employees of the organization. DATS notified the HHS Office for Civil Rights that 22,215 individuals had their information compromised in the incident. This figure represents the confirmed number of people whose protected health information was accessed by the attackers.
Because DATS provides addiction treatment services, many affected individuals are current or former patients who sought care for substance use disorders. This adds a layer of sensitivity to the breach, since treatment records for addiction services are often considered especially private. In addition, employees of the organization were also swept up in the exposure, meaning both staff and patient populations bear risk from this incident.
What Information Was Potentially Exposed?
The data stolen in this breach spans both personal identifiers and detailed health records. Because DATS handles addiction treatment, the exposed information includes clinical details that go beyond typical financial data breaches. The following categories of information were confirmed as compromised:
- Full names
- Dates of birth
- Social Security numbers
- Health insurance information
- Medical billing and claims information
- Patient account numbers
- Prescription and medication information
- Diagnosis and treatment information
- Medical histories
- Financial information
This combination of data creates serious risk for identity theft. When Social Security numbers are paired with dates of birth and financial details, criminals can open new credit accounts, file fraudulent tax returns, or apply for loans in a victim’s name. As a result, affected individuals face a heightened risk of long-term financial harm that can persist for years after the initial breach.
Beyond financial fraud, the exposure of medical and treatment information introduces the risk of medical identity theft. For example, someone could use stolen insurance details to obtain medical services or prescriptions fraudulently. Because this breach involves addiction treatment records specifically, affected individuals may also face privacy and reputational concerns if this sensitive information becomes public or falls into the wrong hands.
What is the company doing?
After confirming the breach, DATS launched a forensic investigation to determine the scope of the unauthorized access. The company stated it was unaware of any actual misuse of the stolen data at the time it issued notification letters. In response to the incident, DATS offered affected individuals complimentary credit monitoring and identity theft protection services to help reduce potential harm.
Following the consolidation of the class action lawsuits, DATS agreed to settle the litigation rather than proceed to trial. The company continues to deny any wrongdoing and disputes the claims made against it. However, DATS agreed to establish a $549,000 settlement fund to resolve the matter and avoid the ongoing costs and uncertainty of continued litigation.
As part of the settlement, class members who submit valid claims can receive cash payments. In addition, the settlement includes a free 12-month membership to a medical data monitoring service for eligible class members. This benefit is meant to give affected individuals ongoing visibility into whether their medical information is being misused.
What Should Affected Individuals Do?
Monitor Your Credit Reports Regularly
Affected individuals should check their credit reports frequently for signs of unauthorized activity. Because Social Security numbers were exposed in this breach, criminals could attempt to open new credit accounts or loans using stolen identities. Regularly reviewing your reports helps you catch fraudulent activity early, before it causes lasting damage.
You can request free credit reports from each of the three major credit bureaus. In addition to routine checks, consider setting up ongoing monitoring through a paid or free service. This makes it easier to spot suspicious inquiries or new accounts as soon as they appear.
Consider a Credit Freeze or Fraud Alert
Because financial information and Social Security numbers were compromised, placing a credit freeze is a strong protective step. A credit freeze blocks new creditors from accessing your credit file, which makes it much harder for identity thieves to open accounts in your name. This is one of the most effective tools available to consumers after a breach like this.
Alternatively, you can place a fraud alert on your credit file, which requires lenders to verify your identity before extending credit. Fraud alerts are easier to set up than freezes and still provide meaningful protection. Either option can significantly reduce your risk of becoming a victim of new-account fraud.
Watch for Medical Identity Theft
Since diagnosis, treatment, and health insurance information were exposed, affected individuals should watch closely for signs of medical identity theft. This can include unexpected medical bills, unfamiliar insurance claims, or notices about services you never received. Because this breach involves addiction treatment records, monitoring your insurance statements is especially important.
If you notice any unfamiliar charges or claims, contact your health insurance provider immediately. Request an itemized statement of benefits and dispute any charges that do not belong to you. Taking swift action can help limit financial and medical record damage caused by fraudulent use of your information.
Stay Alert to Phishing Attempts
After a data breach, scammers often use stolen information to craft convincing phishing emails or phone calls. Because your name, date of birth, and health details were exposed, criminals may try to impersonate legitimate organizations to extract more information from you. Therefore, it is important to remain cautious of unexpected messages asking for personal details.
Never click on links or provide information in response to unsolicited communications. Instead, verify the sender’s identity by contacting the organization directly through official channels. This simple habit can prevent scammers from gaining additional access to your accounts or identity.
Understand Your Settlement Options
If you were notified about this breach, you may be eligible to file a claim under the settlement. Eligible class members can seek reimbursement for documented, unreimbursed losses up to $5,000, or opt for a pro rata cash payment instead. In addition, class members qualify for a free 12-month medical data monitoring membership.
Because claims must be submitted by the September 24, 2026 deadline, affected individuals should act promptly. If you have questions about your eligibility or the claims process, consulting a data breach attorney can help you understand your options and ensure you don’t miss important deadlines.
